In a typical database management system, a user's permission to access data is typically granted by a database administrator at the level of data structures (e.g., specific tables, fields, classes or data types). Specific instances of data in those structures typically inherit the permission of their respective structures. Due to this approach, permission to access data is granted at the coarse grain of the data structures (e.g., access control is granted to all data of a particular data type), without regard to the specific instances of data stored in the structures, thus forcing the access control provision to be an all-or-nothing approach. Further problems arise for those creating reports that mix data from a variety of structures. To ensure that a user who executes a report sees what the report creator intends for the user to see, the report creator must be aware of the different data structures included in the report and is forced to provide the user permission to access to the data structures one at a time. When a report is created for multiple users, the report creator must grant permission to each user for each data structure. Thus, the burden on the report creator to provide permission to access the data in the report greatly increases with the increase in the number of users.